Checkmarx Blog

Whatyouneed2know

Inflight Security is more than just a life vest

May 19, 2015 By Amit Ashbel | Are you afraid of flying? The following information won’t make you feel any safer. Inflight Entertainment systems (IFE) have evolved significantly over the years. Nowadays you can actually connect via your own mobile device to the IFE system and watch TV series, movies or just listen to music and see the flight status. Sounds good, right? Well, yes and no. We all agree that flights should include some kind of entertainment to “survive” these hours of boredom on the flying metal box. However should airlines risk flight security for the latest Box office blockbuster?  
Read More »
AppSec Metrics

Application Security Metrics: Where (And Why) To Begin?

May 15, 2015 By Sarah Vonnegut | A wise man once said, “to measure is to know…if you cannot measure it, you cannot improve it.” When it comes to application security, measurements are crucial to the success of your program. But determining how to best combine your measurements into metrics which show your programs value is much more important.
As a CISO or the like, you lead a team that the business absolutely depends on. Unfortunately, information security in general and application security in specific have a hard time gaining support, even if the latest Verizon Data Breach Investigation Report noted that 75% of web app attacks are financially motivated, and that application security falls “squarely under ‘the cost of doing business.’
Read More »
Whatyouneed2know

Starbucks Application Breach #2

May 14, 2015 By Amit Ashbel | What was stolen?
A new attack on the Starbucks Mobile Payment Application was launched. Criminals have been breaking into individual customer rewards accounts and transferring funds to other accounts.
How was the attack executed?
Read More »
Code Injections

5 Deadly Code Injections That Can Obliterate Your Application

May 13, 2015 By Sharon Solomon | Cybercrime has evolved significantly over the years. While initially based mainly on social engineering and phishing, hackers today implement a wide range of techniques to exploit vulnerable applications with porous code. Code injections have arguably become the weapons of choice for hackers and are constantly being used to perform high-profile hackings worldwide.     
Read More »
6 Tips for Ensuring Your AppSec Program

6 Tips for Ensuring Your Application Security Program Isn’t a Flop

May 08, 2015 By Sarah Vonnegut | Baking security in to our applications is just not an option anymore. The explosion of the number of applications within organizations, coupled with the constant breaches we hear about (and the many more we don’t) don’t allow room for complacency when it comes to securing your organization and customer data.   Yet CISOs and security managers still struggle to receive the support and buy-in for basic application security practices while developers are still making careless security mistakes, all because application security is still not being taken seriously enough.   One of the best ways of getting the organization’s support towards AppSec is coming to the board with a clear, measurable program in place.  And even with an AppSec program in place, it’s difficult to know if you’re “doing it right.” Here we offer six points of attention any security practitioner either implementing or designing an application security program should heed.
Read More »
Logo

PCI DSS Compliance Made Easy Using Source Code Analysis

May 05, 2015 By Sharon Solomon | The e-commerce and retail fields have undergone mammoth changes over the last decade. Paying in hard cash has almost become a thing of the past. Credit and debit cards are now being used to conduct millions of transactions and e-shopping purchases on a daily basis worldwide. But this new reality has also introduced numerous security perils.  
Read More »
Moscone

19 Points of AppSec Wisdom from RSA 2015

Apr 30, 2015 By Amit Ashbel | So, we are back from RSAC 2015!  Our heads full with new information, our sales teams loaded with new connections to follow up with and our bags full of useless giveaways :). Other than achieving absolute culinary success with some quite impressive restaurants and enjoying an impressive Faith No More concert at the San Francisco Warfield we also did some work. As usual it was an interesting and fruitful RSA Conference. Concentrating on Application Security, which had its own dedicated track, we decided to summarize a few of the more interesting talks. Among those, our own one and only, Maty Siman.
Read More »
Thumb

SAST vs DAST – Why SAST?

Apr 29, 2015 By Sharon Solomon | Application security used to be an afterthought until a few years ago, but the exponential rise in cybercrime and malicious activity has made organizations pay more attention to this crucial aspect. This realization has also brought up a widespread discussion about the pros and cons of the various AppSec solutions that are on offer in the market.   While Penetration (Pen) Testing, Interactive Application Security Testing (IAST) and Web Application Firewalls (WAF) are widely recognized security methodologies, they are typically used as processes to compliment the two most popular solutions in use today – Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).  
Read More »
15-sites-to-practice-hacking

15 Vulnerable Sites To (Legally) Practice Your Hacking Skills

Apr 16, 2015 By Sarah Vonnegut | They say the best defense is a good offense – and it’s no different in the InfoSec world. Use these 15 deliberately vulnerable sites to practice your hacking skills so you can be the best defender you can – whether you’re a developer, security manager, auditor or pen-tester. Always remember: Practice makes perfect! What other sites have you used to practice on? Let us know below! 15 Vulnerable Sites To (Legally) Practice Your Hacking Skills //
View more lists from Checkmarx Now that you’ve mastered your offensive security skills, make sure you understand what you’re defending against with our AppSec Beginner’s Guide!
Read More »
XSS Guide new site

XSS: The Definitive Guide to Cross-Site Scripting Prevention

Apr 14, 2015 By Sarah Vonnegut | As old as web browsers themselves, cross-site scripting (XSS) has been an ongoing issue in the security world. Its’ consistent appearance on the OWASP Top 10 and in news reports of cross-site scripting attacks has kept the security issue in the spotlight over the years. Yet after two decades the security issue remains one of the most common attacks on web applications, with consistent reports of over 70% of sites at risk.   So, what is Cross-Site Scripting and how do we change our habits as users, developers and security professionals so we can prevent attacks once and for all?   
Read More »

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.